MINISTRY OF EDUCATION

Technological University(Mandalay)
Department of Electronic Engineering

Virtual Private Network using IPSec and GRE Tunnels

and
QoS

Supervised by Presented by

Dr. Mya Sandar Oo Ma Moe Thet Hnin

VIEC-9
Outlines of Presentation

• Abstract
• Introduction
• Aim and Objectives
• Scope of Thesis
• Hardware and software descriptions
• Implementation Procedure
• Components
• Theory of operation for VPN and QoS
• Discussion
• Conclusion
• References
 Abstract
 The Internet is the global system of interconnected computer networks
 As the use of PC’s and handheld devices increase, it expected that wireless
communication would also grow.
 Virtual Private Network (VPN) is the most secure solution and it is a way to
maintain fast, secure and reliable communications wherever their offices are.
 QoS technology enables the network administrator to assign the order in which
packets are handled, and the amount of bandwidth afforded to that application or
traffic flow .
 This research shows to have a secure private between remote devices in two
remote networks and to assign the traffic shaping as desired..
 Introduction
 Businesses, organizations, governments and many others with sensitive information were at risk of
hacking or other loss of data when using open Internet connections.
 As the use of PC’s and handheld devices increase, it expected that wireless communication would
also grow.
 One of the major concerns in wireless communication is the security.
 Virtual Private Network (VPN) is the most secure solution that ensures three main aspect of
security: authentication, accountability and encryption can use in wireless networks.
 Quality of Service is the ability to provide different priority applications, users, or data flows, or to
gurantee a certain level of performance to a data flow.
 Aim and Objectives
Aim
• To create the more secure private network through Internet
Objectives
• To apply and learn about Mikro Tik routers and Winbox software
• To understand how to work the network system
• To create tunnels for the secure movement of data from one network to another
• To prevent from unauthorized accesses and the hackers
• To provide enough speed limitation for very important person (eg.boss)
 Scope of Thesis

The clients are applied to get ip addresses dynamically.

Apply NAT to get Internet connection for clients.

Create VPN network.

Apply QoS service.

 Hardware and Software Descriptions

Hardware Descriptions

• Mikrotik routers

• UTP cables

• RJ-45 connectors

• Client laptops

Software Descriptions

• Winbox software
 Implementation Procedure

 Study about Mikro Tik routers, types of cables.

 Try to get Internet from external source to router.
 Give ip addresses to client devices dynamically.
 Apply NAT to get Internet for clients.
 Connect all routers and create tunnel for VPN.
 Give QOS service for important person.
 Internet

192.168.100.8 192.168.100.11
12.12.12.1/30 12.12.12.2/30
R1 R2
Physical line
192.168.90.1 192.168.110.1

192.168.110.0/24
192.168.90.0/24
client
client
Active tkip Feature in R1
 WPA PSK and WPA2 PSK authentication types

• TKIP and AES (Advanced Encryption Standard) are two different types of encryption that
that can be used to protect wireless networks.

• TKIP is actually an older encryption protocol introduced with WPA to replace the very-
insecure WEP encryption at the time.

• WPA uses TKIP (Temporal Key Integrity Protocol) while WPA2 is capable of using TKIP or
the more advanced AES algorithm.

• AES is a more secure encryption protocol introduced with WPA2.

• It’s a serious worldwide encryption standard that’s even been adopted by the US
government.
Network scanning to connect with desired network
Configuration in wireless section
 DHCP Server
• A DHCP Server is a network server that automatically provides and assigns IP
addresses, default gateways and other network parameters to client devices.
• It relies on the standard protocol known as Dynamic Host Configuration
Protocol or DHCP to respond to broadcast queries by clients.
• Without it, the network administrator has to manually set up every client that
joins the network, which can be cumbersome, especially in large networks.
• DHCP servers usually assign each client with a unique dynamic IP address,
which changes when the client’s lease for that IP address has expired.
• DHCP process goes through 4 stages while assigning an IP address to the
client. These stages are often abbreviated as DORA for discovery, offer,
request, and acknowledgement.
Gateway for R1 client side
Gateway for R2 client side
DHCP result in R1 client
DHCP result in R2 client
 Network Address Translation (NAT)

• Network Address Translation (NAT) is the process where a network device,

usually a firewall, assigns a public address to a computer (or group of
computers) inside a private network.

• The use of NAT is to limit the number of public IP addresses an organization or

company must use, for both economy and security purposes.

• A NAT box located where the LAN meets the Internet makes all necessary IP
address translations.
• NAT serves three main purposes:

1)Provides a type of firewall by hiding internal IP addresses

2)Enables a company to use more internal IP addresses. Since

they're used internally only, there's no possibility of conflict
with IP addresses used by other companies and
organizations.

3)Allows a company to combine multiple ISDN connections

into a single Internet connection.
Ping result from R1 client
Ping result from R2 client
Traceroute result from R2 client
Bridging
VPN structure
Tunnels
• Tunnel is a method of encapsulating packets in the network.

• Before packet is being transmitted, an additional tunnel header is appended

on the packet, then it will be forwarded according to the outer header.

• Once packet arrived at the tunnel destination, tunnel header will be removed,
and the packet will be forwarded according to its original header (inner
header).

• Tunnels are usually used for VPN connection.

Protocols used in VPN

• IPSec – Internet Protocol

• GRE (Protocol 47): Generic Routing

Encapsulation

• PPTP – Point-to-Point Tunneling Protocol

• L2TP – Layer 2 Tunneling Protocol

IP Tunnel

• IP protocol 4 (IPIP) allows to create tunnel by encapsulating IP packets in IP

packets and sending over to another router.

• IP is layer 3 tunnel often used for connecting two disjoint IP networks that don't
have a native routing path to each other, via an underlying routable protocol across
an intermediate transport network

• To create a tunnel ,you must specify address of the local and remote router on both
sides of the tunnel .
VPN network using IPSec
Ip tunnel in R1
Assign WAN ip in R1 background
IP Tunnel in R2
Assign WAN ip in R1 background
Traceroute from R1
Traceroute from R2
IPSec Tunnel Configuration
GRE Tunnel

• The additional key field that is available in the GRE protocol can
be used to provide additional tunnel authentication which
increases security by increasing key-space which the 32-bit source
address represents.

• Unlike IPIP tunnels a GRE tunnel can carry multicast traffic, other
protocols or IPv6 between networks.
VPN using GRE
Traceroute from R1
Traceroute from R2
Quality of service (QoS)

• Quality of Service (QoS) is the description or measurement of the overall

performance of a service, such as a telephony or computer network or a cloud
computing service, particularly the performance seen by the users of the network.

• Quality of service is the ability to provide different priority to different applications,

users or data flow or to guarantee a certain level of performance to data flow.

• The primary function of QoS is to ensure that all technologies are getting the
bandwidth they need to function at a desired level.
Speedtest Result without QoS Service
Test and Results

Result using IPSec

Result using GRE
 Result of Queue 2

Result of Queue 1
 Result of Queue 2 nd

Result of Queue 1 nd
 Discussion
• In this thesis, IPSec and GRE protocols are used for VPN network.
• IPsec is a framework of techniques used to secure the connection between two
points.
• IPsec offers more security than GRE does because of its authentication feature.
• With GRE, a virtual tunnel is created between the two endpoints and packets are
sent through the GRE tunnel.
• When using IPSec, each routers can automatically know the connected remote
peer tunnel sides.
• Since cables are not required in VPN, the cost will reduce obviously.
• If the QoS function is not applied, the client will get the service without
limitations.
 Conclusion

• In general, an enterprise uses the WAN service, provided by ISP to

connect to their branch office.

• On the other hand, the WAN cost is higher than VPN cost and there is a
risk of security threats when the data transfers over a public network.

• To mitigate the enterprise network threats and vulnerabilities, the VPN

is a reliable technology to create the private connection at low cost.

• QoS is going to play an increasingly important role in making sure that

certain data streams are given priority over others in order to operate
efficiently and to ensure information flows in a timely manner.
 References

• https:/iproject.com.ng
• https//en.m.Wikipedia.org/wiki/Quality-of-service
• https://
www-hotspotshield-com.cdn.ampproject.org/v/s/www.hotspot
shield.com/amp/
• http://www.eircomictdirect.ie/docs/rsa/secure-vpn.pdf
• https://
netkasystem.com/product/network-management/network-perf
ormance-monitoring/qos
• https://mikrotik.com/